From nobody Mon Apr 29 11:26:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1523199656330329.0725232448128; Sun, 8 Apr 2018 08:00:56 -0700 (PDT) Received: from localhost ([::1]:60382 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f5BoD-0004Ky-QM for importer@patchew.org; Sun, 08 Apr 2018 11:00:45 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43673) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f5BnI-0003s5-Gc for qemu-devel@nongnu.org; Sun, 08 Apr 2018 10:59:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f5BnF-0004HS-GA for qemu-devel@nongnu.org; Sun, 08 Apr 2018 10:59:48 -0400 Received: from mail-qt0-x242.google.com ([2607:f8b0:400d:c0d::242]:34926) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1f5BnF-0004H6-C8 for qemu-devel@nongnu.org; Sun, 08 Apr 2018 10:59:45 -0400 Received: by mail-qt0-x242.google.com with SMTP id s2so6457906qti.2 for ; Sun, 08 Apr 2018 07:59:45 -0700 (PDT) Received: from x1.local ([138.117.48.212]) by smtp.gmail.com with ESMTPSA id h23sm11416091qke.33.2018.04.08.07.59.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 08 Apr 2018 07:59:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=N0u2B6wIpUjOkEgiXQqUDStuA617x2I/H4maTcQ11UE=; b=fAIaZU43q8kReqcG/sOV7L1i+uoBsAOgqGSg2C8cNfTEaLbDxpwTvJ/GJynb/GI+57 zYa6wFUc7p6V5AH07aZU0EMMMxGww6wjsXfs7lazZYlcZMAhUlM0tbTR4cCgE7amSx3K q14A8usenMz1pj6I88W2ZN+lARVy7KUkBmoAPfoXrL/kX5wiz06GafRLZsQjygEW3eXD TutWkaO5x7Y1jgtPrmO46/fKLuJrTchHG/HuflEZSwx8jBLQtnTb0QagTWgyW9/REsVE Dx+OiBdYzKrF80q1y53hxF8pHZLE7qfJUO75baDh/ogtlbKQTrXOM82esF04gGe4uXZH D1og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=N0u2B6wIpUjOkEgiXQqUDStuA617x2I/H4maTcQ11UE=; b=OUnXzCRLrSaZuyw6vlEG9s0EPO9GEF35DlqVuBd5YTh715OZmaNKbV01lMgZ4HZS2C cbqVuGUWx0BA+Dzad9DW2ew15+azZUgjh9pTpKlIkidjMHBZWSAmNRBXCMPeeSzebPTY AbJ6Am2epwZNrhEbSgy/8ImiLfRChRKjKWqh5dtB+lE6fvLAsKZCkXD6tdkQAxpLRA44 QEO/b6M5QLRqS+w61wutbpkuGRYbAm2OccAVdszoq+naDxjkfSvxq+Ic2Yozh9j1IksW N1t4rjIioPUnS8BQDYBMA/I0LtZ+tVf9TrqdPfbuCyRiZi45fniDEaH5wjdfXH/g6BjG G5uw== X-Gm-Message-State: ALQs6tBeuBQjhVS4klyWCo3ZmK6Nys4q5i4gX9G8d3dquMEU1Bqwe42c 1a1lvii2kbXZeVhKThy865I= X-Google-Smtp-Source: AIpwx4/L4nFcpqi9VFtzekky853hOY69rv7T2SYeuUlqswwOmutr5UJOUmt5FDMmQ8zCeAB7s+h+8w== X-Received: by 10.237.37.172 with SMTP id x41mr46174575qtc.6.1523199584481; Sun, 08 Apr 2018 07:59:44 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Paolo Bonzini Date: Sun, 8 Apr 2018 11:59:33 -0300 Message-Id: <20180408145933.1149-1-f4bug@amsat.org> X-Mailer: git-send-email 2.17.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400d:c0d::242 Subject: [Qemu-devel] [PATCH for-2.12] gdbstub: fix off-by-one in gdb_handle_packet() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 memtohex() adds an extra trailing NUL character. Reported-by: AddressSanitizer Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Stefan Hajnoczi --- (gdb) dump binary memory /tmp/dram.bin 0x94000000 0x94100000 Remote connection closed =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D22732=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on address = 0x7ffe43018340 at pc 0x55f2655fde81 bp 0x7ffe43017210 sp 0x7ffe43017208 WRITE of size 1 at 0x7ffe43018340 thread T0 #0 0x55f2655fde80 in memtohex /source/qemu/gdbstub.c:520 #1 0x55f26560254d in gdb_handle_packet /source/qemu/gdbstub.c:1140 #2 0x55f2656073c3 in gdb_read_byte /source/qemu/gdbstub.c:1703 #3 0x55f2656076a7 in gdb_chr_receive /source/qemu/gdbstub.c:1909 #4 0x55f266457656 in qemu_chr_be_write_impl /source/qemu/chardev/char.c= :175 #5 0x55f2664576f9 in qemu_chr_be_write /source/qemu/chardev/char.c:187 #6 0x55f26646f6f0 in tcp_chr_read /source/qemu/chardev/char-socket.c:470 #7 0x55f2664bc9e3 in qio_channel_fd_source_dispatch /source/qemu/io/cha= nnel-watch.c:84 #8 0x7f17d01b30f4 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu= /libglib-2.0.so.0+0x4c0f4) #9 0x55f2665c7f10 in glib_pollfds_poll /source/qemu/util/main-loop.c:215 #10 0x55f2665c8100 in os_host_main_loop_wait /source/qemu/util/main-loo= p.c:263 #11 0x55f2665c82d6 in main_loop_wait /source/qemu/util/main-loop.c:522 #12 0x55f26599e13b in main_loop /source/qemu/vl.c:1943 #13 0x55f2659b0869 in main /source/qemu/vl.c:4734 Address 0x7ffe43018340 is located in stack of thread T0 at offset 4192 in f= rame #0 0x55f265601266 in gdb_handle_packet /source/qemu/gdbstub.c:996 This frame has 3 object(s): [32, 40) 'p' [96, 4192) 'buf' <=3D=3D Memory access at offset 4192 overflows this va= riable [4224, 8320) 'mem_buf' SUMMARY: AddressSanitizer: stack-buffer-overflow /source/qemu/gdbstub.c:520= in memtohex Shadow bytes around the buggy address: 0x1000485fb010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000485fb020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000485fb030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000485fb040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000485fb050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x1000485fb060: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00 0x1000485fb070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000485fb080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000485fb090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000485fb0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000485fb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D22732=3D=3DABORTING --- gdbstub.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/gdbstub.c b/gdbstub.c index a76b2fa481..18a8d8a710 100644 --- a/gdbstub.c +++ b/gdbstub.c @@ -507,6 +507,7 @@ static inline int tohex(int v) return v - 10 + 'a'; } =20 +/* writes 2*len+1 bytes in buf */ static void memtohex(char *buf, const uint8_t *mem, int len) { int i, c; @@ -999,8 +1000,9 @@ static int gdb_handle_packet(GDBState *s, const char *= line_buf) const char *p; uint32_t thread; int ch, reg_size, type, res; - char buf[MAX_PACKET_LENGTH]; uint8_t mem_buf[MAX_PACKET_LENGTH]; + char buf[sizeof(mem_buf) + 1 /* trailing NUL */]; uint8_t *registers; target_ulong addr, len; =20 --=20 2.17.0